As a software start-up, having everyone in the office, working closely and enthusiastically to move the product and company forward was the norm. We do have a couple of remote team members and a VPN to secure access to the office network, but working from home and consequently, the VPN, was not a top priority.
Like a lot of small businesses (as well as larger ones), we’ve had to adapt to the new normal that is the Coronavirus, which means the whole company working from home.
Much of what we do is in the cloud (AWS, GitHub, Slack, Jira, Salesforce, Google Drive), but as part of our defense in depth strategy, most critical resources are only accessible from the office or VPN. We also have a firewall certification and penetration testing lab in the office that the engineering and data science team uses extensively. The net-net is that we needed to take a hard look at our VPN infrastructure and make sure that we were prepared for our new working model.
The first question we asked was – “Can my VPN handle all of the additional people using it?” The answer was basically “Yes”, but only if it’s used for the CyGlass resources that require the VPN. The VPN doesn’t have enough bandwidth for Spotify or YouTube or GoToMeeting. That traffic should stay routed over the ISP.
The capability of routing some traffic over a VPN and some not over the VPN is called Split Tunnelling. There are pros and cons to split tunneling, and I don’t want to get into that argument here, but quickly:
Split Tunnel Advantages – Eliminates VPN Bottlenecks
Split Tunnel Disadvantages – Doesn’t use the company’s network security controls for non-VPN traffic.
Regardless of whether Split Tunnelling is allowed or not, there is some traffic that is supposed to be going over the VPN and some traffic which is not. CyGlass NDaaS has the ability to monitor network traffic with a policy and alert when there are violations.
Policies in CyGlass are tied to network zones. A zone can be a list of domains, countries, or internal network ranges. So, in CyGlass we can define a zone called “VPN”.
The VPN Zone in CyGlass is configured for the FortiClientVPN subnet
We can then create a policy for the VPN zone that alerts on any traffic from VPN that goes to external.
This shouldn’t happen if the VPN server is configured correctly, but mistakes happen, especially when people are in a hurry. Policies in CyGlass can not only detect security risks but also ensure that important security and operation decisions are enforced on the network.
Here’s an example of this policy being violated.
When this policy violation is triggered, we can investigate the activity.
By correlating the VPN User IP with the logs in our VPN server, we can investigate and resolve the issue.
We’re getting a lot of requests from customers and partners on how we can help them as more and more of their employees are working from home over VPNs. In the product today, we can alert when VPN policies are not being followed. We think this is an important first step in companies using VPNs more broadly.